TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · Policy Compliance & SCAInteractive · L1 / L2 / L3

Qualys Policy Compliance & SCA — Controls, Benchmarks & Audit Reporting

Qualys Policy Compliance (PC) and Security Configuration Assessment (SCA) together let you prove every asset meets its CIS or DISA benchmark — automatically, at scale, with exception workflows and audit-ready reports. This lesson maps how PC controls work, where SCA fits, how mandates and benchmarks are applied, and how to manage exceptions without burying your auditor in noise.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Qualys Policy Compliance and SCA in 2026: PC controls, CIS and DISA benchmarks, mandates, Security Configuration Assessment, audit reporting and exceptions management — with Qualys VMDR.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

PC vs SCA

Two tools, one goal — configuration compliance.

 2

Controls & collection

How controls are built, run and evaluated.

 3

Benchmarks & mandates

CIS, DISA, PCI, ISO and custom policies.

 4

Reporting & exceptions

Dashboards, trend reports and exception workflow.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Qualys SCA the same product as Policy Compliance?

Answered in PC vs SCA.

2. What does a 'Failed' control result mean in Qualys PC?

Answered in Controls & collection.

3. Where do you manage a control exception so it does not keep showing as Failed?

Answered in Reporting & exceptions.

Most engineers think…

Most people lump Policy Compliance and SCA together as 'just scanning for misconfigs' — and then struggle when an interviewer or auditor asks them to explain how exceptions work or why a CIS Benchmark differs from a DISA STIG.

Qualys PC is a full-scale, policy-driven compliance engine: it checks every configuration control on every asset, records a Pass/Fail/Error per control, rolls results up into a compliance score, and generates audit-ready reports. SCA is a lighter, CIS-focused add-on that uses the agent for near-real-time assessment of cloud and on-prem workloads. Understanding both — and knowing when to grant a time-boxed exception vs. accept risk — is what separates a junior sysadmin from a compliance engineer.

① Policy Compliance vs SCA — same goal, different reach

Qualys ships two overlapping but distinct modules for configuration compliance. Policy Compliance (PC) is the mature, full-featured engine: it supports scanner-based and agent-based data collection, a rich library of pre-built policies (CIS, DISA STIG, PCI DSS, HIPAA, ISO 27001, Cyber Essentials, SOX and custom), and generates detailed audit reports with trend history. It is licenced separately from VMDR and is the tool you use for formal regulatory audits.

Security Configuration Assessment (SCA) is a lighter module bundled inside VMDR that focuses specifically on CIS Benchmarks via the Qualys Cloud Agent. It is designed for fast, continuous assessment of cloud instances and on-prem servers without requiring network-based scanner access. The result: SCA is great for cloud-native teams who already deploy agents everywhere; PC is required when your auditor needs formal reports against DISA STIGs, PCI DSS or a custom mandate.

Figure 1 — How a Qualys PC assessment runs end-to-end
Every compliance check follows the same five steps — from asset discovery to audit-ready report.How a Qualys PC assessment runs end-to-endDiscoverAsset inventory &tagsCollectAgent or scan credsEvaluatePass / Fail / ErrorScore% controls passingReportDashboard + PDF audit
Every compliance check follows the same five steps — from asset discovery to audit-ready report.
Figure 2 — Policy Compliance vs SCA — scope and use case
PC and SCA share the same goal but differ in scope, collection method and typical use case.Policy Compliance vs SCA — scope and use casePolicy Compliance (PC)Scanner + agent collectionCIS, DISA, PCI, ISO, customFormal audit reports + trendsSeparate licence; all asset typesSCA (bundled in VMDR)Agent-only collectionCIS Benchmarks onlyFast posture view in VMDRCloud-ready; no extra licence
PC and SCA share the same goal but differ in scope, collection method and typical use case.
Quick check · Q1 of 10 · Understand

A cloud-native team already deploys the Qualys Cloud Agent on every EC2 instance and needs a quick CIS Benchmark posture view inside their VMDR licence. Which module fits best?

Correct: b. SCA is the CIS Benchmark-focused, agent-only module bundled inside VMDR — ideal for cloud teams already using the agent who want a fast posture view without a separate PC licence.
👉 So far: PC = broad compliance engine (scanner + agent, all mandate families, formal audit reports). SCA = lighter CIS-only, agent-based module bundled in VMDR.

② How controls are structured, collected and evaluated

A Qualys control is the atomic unit of policy compliance — it maps one expected configuration value (e.g. 'SSH PermitRootLogin must be no') to one technology (Linux/RHEL 9). Each control has a control ID, a technology tag, a data collection method, an expected value and a criticality rating. Controls are grouped into policies, which are snapshots of a mandate or benchmark applied to an asset group.

Collection methods

Qualys gathers configuration data in two ways: scanner-based (authenticated scan using SSH or WMI — the scanner logs in and reads registry keys, file settings, and command output) and agent-based (the Qualys Cloud Agent collects continuously and pushes compliance data to the platform). Agent-based collection gives more frequent data; scanner-based is needed for legacy systems that cannot run an agent. Findings are evaluated as Pass (actual value matches expected), Fail (mismatch), or Error (data could not be collected — missing credential, agent offline, or unsupported technology).

🔍
PC Control
tap to flip

The atomic compliance check — one expected configuration value for one technology. Evaluated as Pass, Fail or Error against actual settings collected by scanner or agent.

📋
Policy
tap to flip

A group of controls applied to an asset group. Policies snapshot a mandate (CIS, DISA, PCI) or a custom configuration baseline.

🛡️
CIS vs DISA STIG
tap to flip

CIS Benchmarks (Level 1/Level 2) are community guidelines; DISA STIGs are US DoD standards. CIS STIG benchmarks (added 2026) are CIS-formatted but DoD-equivalent — same controls, different presentation.

Compliance Exception
tap to flip

A dated, justified waiver for a failing control. Types: Mitigating Control, Risk Acceptance, or False Positive. Expires automatically — never silently removes a failure from the audit trail.

Error ≠ Fail — triage differently

In an interview, always distinguish Error from Fail. A Fail means you found the setting and it is wrong. An Error means you never got the data — fix your credential or agent first, or you will chase phantom compliance gaps and report inflated Fail counts.

Quick check · Q2 of 10 · Remember

A control evaluation returns 'Error'. What does this most likely mean?

Correct: c. An Error result means the platform could not retrieve the configuration data — it is not a compliance verdict. Common causes: missing or wrong scan credential, offline agent, or unsupported technology. Fix collection before drawing compliance conclusions.
👉 So far: Controls evaluate to Pass (matches), Fail (mismatches) or Error (no data). Error is a collection gap — fix credentials or agent, not the control.

③ Benchmarks and mandates — the Qualys policy library

Qualys maintains a continuously updated policy library with hundreds of out-of-the-box policies covering every major mandate. The four families you must be able to name: CIS Benchmarks (Level 1 and Level 2 controls for OS, cloud, containers, databases and applications — also available in CIS STIG flavour, which aligns CIS controls to DISA STIG identifiers); DISA STIGs (Security Technical Implementation Guides for US DoD — the authoritative source for federal hardening); PCI DSS (configuration requirements for cardholder data environments, updated through PCI DSS 4.0); and ISO 27001 / custom mandates (you can build a custom policy by picking controls from any technology library and defining your own expected values and criticality weights).

In April 2026 Qualys introduced CIS STIG labels inside the Policy Audit library, letting teams surface CIS-released STIG-aligned benchmarks directly alongside native DISA STIGs — useful when a customer needs CIS formatting but DoD equivalence. CIS STIG vs DISA STIG differ only in presentation, not in the underlying control intent.

Figure 3 — Qualys policy library — mandate families
One platform, many mandate families — each policy maps its controls to the same collection engine.Qualys policy library — mandate familiesQualys PCPolicy libraryCIS BenchmarksCIS STIG (2026)DISA STIGsPCI DSS 4.0ISO 27001Custom mandates
One platform, many mandate families — each policy maps its controls to the same collection engine.
'CIS and DISA are the same' oversimplification

CIS Benchmarks and DISA STIGs cover similar ground but are NOT interchangeable in a federal audit. DISA STIGs are the authoritative DoD requirement; CIS STIG benchmarks (added to Qualys in April 2026) are CIS-formatted equivalents. If your customer is a US agency or contractor under CMMC, confirm CIS STIG acceptance before using it as the primary evidence artefact.

▶ Watch a CIS Benchmark control get evaluated and remediated

How one failing SSH control moves from detection to exception to remediation. Press Play for the healthy path, then Break it to see the classic data-collection failure.

① CollectThe Qualys Cloud Agent on a RHEL 9 server reads the SSH daemon configuration and sends it to the platform.
② EvaluateThe PC engine compares PermitRootLogin actual value ('yes') against the CIS Benchmark expected value ('no') — result: Fail.
③ ExceptionThe ops team raises a Risk Acceptance exception: justification='vendor constraint', expiry=90 days. Score stays clean; auditor sees the exception.
④ RemediateAfter vendor approval, the SSH setting is corrected. Next agent scan shows Pass. Exception is closed and the evidence trail is preserved.
Press Play to step through the healthy evaluation path. Then press Break it.
Quick check · Q3 of 10 · Apply

A US federal agency customer needs Qualys to assess Linux servers against DoD hardening standards. Which policy family should you select?

Correct: a. DISA STIGs are the authoritative DoD configuration standard for US federal environments. CIS STIG benchmarks (CIS-formatted, DoD-equivalent, added to Qualys in April 2026) are also acceptable — confirm customer acceptance before using as the primary audit artefact.
👉 So far: Policy library covers CIS (L1/L2), CIS STIG (2026), DISA STIG, PCI DSS 4.0, ISO 27001 and custom mandates — all fed by the same collection engine.

④ Reporting, dashboards and the exception workflow

Qualys PC produces three kinds of output. Compliance dashboards show the real-time posture score (percentage of controls passing) per asset group, policy, and technology — with drill-down to individual failing controls and the raw evidence that caused the failure. Trend reports compare posture over time (weekly, monthly, quarter-over-quarter) so you can show auditors that the score is improving. Policy report PDFs are the formal audit artefact — they list every control, its result and the evidence, with a digital signature timestamp.

Managing exceptions

When a control fails but the risk is accepted (or a compensating control exists), you raise an exception: assign it to an owner, add a business justification, select a type (Mitigating Control, Risk Acceptance or False Positive) and set an expiry date. Approved exceptions are excluded from the score and flagged clearly in reports so auditors see them — not hidden. Expired exceptions auto-revert to Fail, so nothing silently falls off the radar. The golden rule: never delete a failing control — raise a dated exception instead so there is an evidence trail.

Figure 4 — Exception lifecycle — from Fail to approved and tracked
Exceptions do not hide failures — they document risk acceptance with a justification, owner and expiry.Exception lifecycle — from Fail to approved and trackedFail detectedControl value mismatches expectedException raisedType, justification, owner, expiryApproved & trackedExcluded from score; audit visibleExpiry auto-revertsReturns to Fail — no silent gaps
Exceptions do not hide failures — they document risk acceptance with a justification, owner and expiry.

Kavitha at a Chennai-based fintech faces this

The weekly Qualys PC report shows overall compliance score at 61% — well below the PCI DSS 4.0 target of 95%. The auditor is arriving in three weeks.

Likely cause

Legacy Windows 2016 servers have 140 failing controls — mostly around audit log settings and SMBv1 — that were never remediated after the initial scan.

Diagnosis

Open PC ▸ Policies ▸ PCI DSS ▸ Failing Controls. Filter by criticality = High. Most failures cluster on audit policy (Event Log size, success/failure flags) and network protocol (SMBv1 enabled) — easy wins.

PC ▸ Policies ▸ Compliance Report ▸ Failing Controls (grouped by technology)
Fix

Remediate audit log settings via GPO (fast, no vendor constraint). For SMBv1: raise a Risk Acceptance exception for the three systems with vendor-locked constraints, justifying that network segmentation compensates. Score jumps from 61% to 93% within a week.

Verify

Re-run the Qualys PC report after the next scan cycle. Dashboard shows 93% Pass. The three SMBv1 exceptions appear with justifications and expiry dates — the auditor accepts them as documented compensating controls.

Check exception expiry before every audit window

A compliance score of 98% can drop to 75% overnight when batch exceptions expire. Before every audit, run PC ▸ Exceptions ▸ Expiring Soon and renew or escalate each one. Surprises in audit reports almost always trace back to an expired exception nobody renewed.

Quick check · Q4 of 10 · Analyze

A CIS Level 2 control fails because the application vendor prohibits the required SSH setting. The correct Qualys PC action is:

Correct: d. A Mitigating Control exception is the right type when a vendor constraint prevents remediation but a compensating control exists. It preserves the audit trail, documents the business decision, and auto-reverts on expiry. Editing the expected value or deleting the control destroys evidence.
👉 So far: Exceptions = typed (Mitigating Control / Risk Acceptance / False Positive), dated, justified — auto-revert on expiry. Never delete a failing control; always raise an exception instead.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Qualys module is bundled inside VMDR and focuses exclusively on CIS Benchmarks via the Cloud Agent?

Correct: b. SCA is the CIS Benchmark-focused, agent-only module bundled inside VMDR. Policy Compliance (PC) is the broader, separately licenced module supporting multiple mandate families and both scanner and agent collection.
Q6 · Understand

A control evaluation returns 'Error'. The most accurate statement is:

Correct: c. Error means the platform could not retrieve the configuration data at all — it is a collection failure, not a compliance verdict. Common causes: missing or incorrect scan credential, offline agent, or unsupported technology version. Fix collection before drawing compliance conclusions.
Q7 · Apply

A PCI DSS auditor asks for formal evidence that all Windows servers meet configuration baselines. Which Qualys PC output is the correct deliverable?

Correct: d. The formal audit artefact in Qualys PC is the policy report PDF — it lists every control evaluated, the actual and expected values, Pass/Fail/Error result, evidence and a timestamp. An SCA dashboard screenshot or a CSV is not sufficient for a formal PCI DSS audit.
Q8 · Analyze

Your compliance score drops 18 points overnight with no new scan. The most likely cause is:

Correct: b. Expired exceptions auto-revert to Fail, immediately reducing the posture score. A sudden overnight drop with no new scan is the classic sign of batch exception expiry. Check PC ▸ Exceptions ▸ Recently Expired before investigating other causes.
Q9 · Evaluate

A CIS Level 2 control fails because the application vendor explicitly prohibits the required setting. The best Qualys PC action is:

Correct: a. A Mitigating Control exception is the correct type when a vendor constraint prevents remediation but a compensating control exists (e.g. network segmentation). It preserves the audit trail, documents the business decision, and auto-reverts on expiry. Editing the expected value or deleting the control destroys evidence.
Q10 · Evaluate

An interviewer asks: 'Are CIS STIG benchmarks and DISA STIGs interchangeable in a US federal audit?' Best answer:

Correct: c. CIS STIG benchmarks (added to the Qualys library in 2026) are derived directly from DISA STIGs — same underlying controls, CIS formatting. They are not automatically interchangeable in every federal or DoD audit; always confirm customer acceptance before using CIS STIG as the primary evidence artefact.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a Qualys PC 'Fail' result and an 'Error' result, and why does it matter? Then compare with the expert version.

Expert version: A Fail means the platform collected the configuration data and the actual value does not match the expected value in the policy — there is a real misconfiguration to fix. An Error means the platform could not collect the data at all — a missing credential, an offline agent, or an unsupported OS version. It matters because treating Errors as Fails inflates your Fail count, sends engineers chasing phantom issues, and gives management a false picture of risk. Fix collection gaps first; only then does your Fail count mean something.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Policy Compliance (PC)
Qualys module that checks configuration controls against mandate-based policies (CIS, DISA, PCI, ISO, custom) using scanner and/or agent collection, producing formal audit reports.
Security Configuration Assessment (SCA)
Lightweight, CIS Benchmark-focused module bundled inside VMDR — agent-only, designed for fast cloud and on-prem posture checks.
PC Control
The atomic compliance check — one expected configuration value for one technology. Evaluated as Pass, Fail or Error.
CIS Benchmark
Community-developed secure configuration guidelines (Level 1 = minimum, Level 2 = defence-in-depth) covering OS, cloud, containers, databases and applications.
DISA STIG
Security Technical Implementation Guide — the US DoD authoritative configuration hardening standard; CIS STIG benchmarks are CIS-formatted equivalents added to the Qualys library in April 2026.
Compliance Score
The percentage of controls in a policy that evaluate to Pass for a given asset or asset group — the primary number auditors and management use to measure posture.
Exception
A dated, typed, justified waiver for a failing control in Qualys PC — types are Mitigating Control, Risk Acceptance, or False Positive. Auto-reverts to Fail on expiry.
Error (control result)
A data-collection failure — the platform could not retrieve the configuration. Not a compliance verdict; fix credentials or agent before drawing conclusions.

📚 Sources

  1. Qualys — Security Configuration Assessment (SCA) product page. qualys.com/apps/security-configuration-assessment
  2. Qualys Docs — SCA get started & CIS policy setup guide. docs.qualys.com/en/vm/latest/module_sca
  3. Qualys Notifications — Policy Compliance library updates, April 2026 (CIS STIG labels introduced). notifications.qualys.com/policy-library/2026/04/30
  4. Qualys Notifications — Policy Compliance library updates, May 2026. notifications.qualys.com/policy-library/2026/05/29
  5. Qualys — Policy Compliance data sheet — controls, mandates and audit reporting. cdn2.qualys.com/docs/mktg/policy-compliance-datasheet.pdf
  6. Qualys Blog — Cyber Essentials Plus 2026: strengthened controls & compliance insight. blog.qualys.com/product-tech/2026/03/02/cyber-essentials-plus-2026-compliance

What's next?

Got Policy Compliance? Next, go deep on Qualys Patch Management and how auto-remediation closes the loop between a failed control and a fixed asset — without ever leaving the VMDR platform.

Next · All interview lessons → Practice on exam.techclick.in →